Gen.Variant.Kazy.1750_901b366ca1

by malwarelabrobot on March 29th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.1750 (B) (Emsisoft), Gen:Variant.Kazy.1750 (AdAware), Bancos.YR, ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 901b366ca1e1e74d751e4b5e3c2160b9
SHA1: 2f55fea37f54e98aeaa7302b096e82f4020f3786
SHA256: 20864785b8f95cc7fbc69b84b4535ed8220a1532635fa1d48a331184875a9405
SSDeep: 24576:R MxjWYOvJRVQURPft2LsRwrufntiLGCNySWow3DQSLxYqH:wM0bBRVxdSsRwwnoTQow3DQWxYqH
Size: 1026048 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-07 11:53:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

cscript.exe:600
cscript.exe:1952
cscript.exe:336
cscript.exe:492
cscript.exe:1832
cscript.exe:1940
cscript.exe:488
cscript.exe:1376
cscript.exe:424
cscript.exe:408
cscript.exe:568
cscript.exe:1236
cscript.exe:448
cscript.exe:368
cscript.exe:1132
cscript.exe:616
cscript.exe:244
cscript.exe:264
cscript.exe:1868
cscript.exe:1648
cscript.exe:808
cscript.exe:1748
cscript.exe:644
cscript.exe:1360
cscript.exe:1668
cscript.exe:1368
%original file name%.exe:1140
%original file name%.exe:620
%original file name%.exe:596
%original file name%.exe:628
%original file name%.exe:1308
%original file name%.exe:1920
%original file name%.exe:340
%original file name%.exe:1948
%original file name%.exe:1968
%original file name%.exe:1980
%original file name%.exe:1856
%original file name%.exe:956
%original file name%.exe:652
%original file name%.exe:368
%original file name%.exe:1252
%original file name%.exe:188
%original file name%.exe:616
%original file name%.exe:1276
%original file name%.exe:1492
%original file name%.exe:1700
%original file name%.exe:1648
%original file name%.exe:808
%original file name%.exe:1748
%original file name%.exe:1760
%original file name%.exe:512
%original file name%.exe:1740
%original file name%.exe:1660

The Trojan injects its code into the following process(es):

NesIMIQs.exe:260
fGAwoYMM.exe:1092
reIEcoQI.exe:484

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process fGAwoYMM.exe:1092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)

The process %original file name%.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MgQkQooM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XSsIUMwE.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MgQkQooM.bat (0 bytes)

The process %original file name%.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QWYYsEIw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcUokIYQ.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QWYYsEIw.bat (0 bytes)

The process %original file name%.exe:628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GoEAEIQU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rCEgYIYk.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GoEAEIQU.bat (0 bytes)

The process %original file name%.exe:1308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CIAQMkMg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tMYYwUgI.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tMYYwUgI.bat (0 bytes)

The process %original file name%.exe:1920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yuIAsAEc.bat (4 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7737 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OSUQUYEo.bat (112 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7785 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yuIAsAEc.bat (0 bytes)

The process %original file name%.exe:340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AokcokIs.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QiQwIcEs.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AokcokIs.bat (0 bytes)

The process %original file name%.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sWYoskks.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jywcIsoc.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sWYoskks.bat (0 bytes)

The process %original file name%.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MOUUIYsE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oMsQYoUE.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oMsQYoUE.bat (0 bytes)

The process %original file name%.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OwwkQocU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nysQgsoo.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nysQgsoo.bat (0 bytes)

The process %original file name%.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\naccAscE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mWMAgAsA.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mWMAgAsA.bat (0 bytes)

The process %original file name%.exe:956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RuIkMccg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LEIkYEgA.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RuIkMccg.bat (0 bytes)

The process %original file name%.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MYEQAskM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IWEsEIgI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mCgMQYYI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qsIkcYcI.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MYEQAskM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qsIkcYcI.bat (0 bytes)

The process %original file name%.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pQscEkMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hIckgQkI.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hIckgQkI.bat (0 bytes)

The process %original file name%.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UwgMckQo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cowIMIAQ.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cowIMIAQ.bat (0 bytes)

The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oswscgcc.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CKwsYYAE.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oswscgcc.bat (0 bytes)

The process %original file name%.exe:616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OGYkQQMA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yaEEsIUU.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OGYkQQMA.bat (0 bytes)

The process %original file name%.exe:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kiEoQQkk.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\duMAgwMY.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kiEoQQkk.bat (0 bytes)

The process %original file name%.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sqoUgoIk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CcsgsEoQ.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sqoUgoIk.bat (0 bytes)

The process %original file name%.exe:1700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VQMksAcs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fSUAsIgw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FOEAIoEU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nmEQkQIE.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fSUAsIgw.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nmEQkQIE.bat (0 bytes)

The process %original file name%.exe:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aKEUwEcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kSMIgYMk.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kSMIgYMk.bat (0 bytes)

The process %original file name%.exe:808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KusAoUAY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xAwwkYwA.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KusAoUAY.bat (0 bytes)

The process %original file name%.exe:1748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MWYskYcM.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QYQEUEEQ.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MWYskYcM.bat (0 bytes)

The process %original file name%.exe:1760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SogAQMAk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UCwowoQM.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UCwowoQM.bat (0 bytes)

The process %original file name%.exe:512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GcIUkIQs.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CmIwcIMw.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GcIUkIQs.bat (0 bytes)

The process %original file name%.exe:1740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CgwAcMIQ.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FaYAgIQg.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CgwAcMIQ.bat (0 bytes)

The process %original file name%.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iMsksYkI.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XikYIAoE.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iMsksYkI.bat (0 bytes)

Registry activity

The process NesIMIQs.exe:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C BA FA FF 90 E4 44 F5 74 55 BF 27 2C 3A C4 95"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process fGAwoYMM.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E BA B6 BA B2 2B 95 7D 44 C5 8F 0C A9 2A 60 A6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The process reIEcoQI.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 92 82 58 8B 0F DA C0 DD FF B9 A4 86 FE 6E 96"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process cscript.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 8B 05 AF AB A4 85 B0 DC 27 D1 74 09 76 86 1C"

The process cscript.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 04 E7 5A 38 40 7E 94 81 B2 1B C4 D4 08 3E 80"

The process cscript.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 81 DD 14 0D 5D FD CF 15 E5 13 2C B3 28 D1 D1"

The process cscript.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 C8 17 26 FC 50 F4 3D 8C 86 CF BE A4 0D 82 19"

The process cscript.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 06 29 AA A3 E8 FC B6 94 BA DB 39 3E 6E 2D 92"

The process cscript.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 54 E1 54 E7 30 DB F3 10 D5 03 5B 41 27 25 D2"

The process cscript.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 4E 12 86 9B 02 5D B2 CC 38 50 7C 3F D8 3F F7"

The process cscript.exe:1376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 6E D2 76 A5 7C F6 7A FE 06 21 11 6A BC 1A 9A"

The process cscript.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 96 2A 1D 16 8B 7D E1 33 99 5A FF DC 7E 41 52"

The process cscript.exe:408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 33 CB 3C 59 C8 0D 58 48 9E 72 0F 36 4F CF 9C"

The process cscript.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 78 DC 44 3C 9A BB C5 99 45 5A 57 36 F8 26 9E"

The process cscript.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 D5 22 11 2D 39 07 53 45 5D 7A 31 68 3D 0B C5"

The process cscript.exe:448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 ED 20 19 8D 65 EF 1E A4 8A E5 F2 D6 C8 95 DC"

The process cscript.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 A8 9E A6 6D 4E E0 EE 17 64 3D 84 1B 8B EA A9"

The process cscript.exe:1132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 51 2B 54 D2 64 49 65 2A FA 5E CB 1A F4 37 AD"

The process cscript.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 30 E0 C8 B1 33 75 4C 66 7C 62 ED DE 6A C2 33"

The process cscript.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 44 ED 4D 26 C0 38 6A A8 BA 3E 79 C3 38 0C FA"

The process cscript.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 55 35 C7 28 62 68 84 40 73 F7 9D FF 0D AD 98"

The process cscript.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 3D B4 3E C6 7C 26 A6 34 EB D3 7C FA 55 9F 2F"

The process cscript.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 1A 54 61 46 D4 0A 29 5D A9 BA 6F 78 29 57 75"

The process cscript.exe:808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 48 17 A5 B3 46 61 DC 82 1D 2E 26 34 C4 7B 70"

The process cscript.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 74 A9 DC F1 F0 39 2E 83 B3 13 A3 EF E2 4B 85"

The process cscript.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 66 FD 66 17 60 6F 21 DF 80 7B 0F A1 CE 19 BE"

The process cscript.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 63 AA C9 E5 95 EF 9E 1E FD D5 DE 3B DE B5 84"

The process cscript.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 08 4A D0 6A BF 2A DB 11 86 E7 93 81 4C E3 A7"

The process cscript.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 22 BC 52 90 CE 49 68 17 A0 BC 64 DB 67 38 C5"

The process %original file name%.exe:1140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 1D FF 26 1B 0C F4 E3 53 77 5C F3 62 40 20 76"

The process %original file name%.exe:620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 97 0E A9 D5 ED 08 53 69 E5 FC F6 94 48 A5 B3"

The process %original file name%.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 84 C3 FD 47 35 1C 76 8D 48 95 23 87 57 09 DA"

The process %original file name%.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 62 79 D6 69 78 7A 4E 6A 71 5A 4A E7 E7 02 D9"

The process %original file name%.exe:1308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 62 30 2B 43 62 D7 16 7C A5 DD E3 A9 A5 7E 42"

The process %original file name%.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 8A DA 09 E3 71 5C E9 0A 16 1A 62 F1 EF 70 04"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 07 AF 39 4F 4F 79 29 43 55 32 28 06 DC D2 0F"

The process %original file name%.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 1D B1 49 0D D1 60 E0 E9 CD EF 3A C6 6C 61 71"

The process %original file name%.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 46 A3 F4 5A 4C BA 4E D9 F0 CB FA 6E CC 76 64"

The process %original file name%.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 69 D4 3C 3A ED 31 29 88 01 88 04 DF C4 E1 0A"

The process %original file name%.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 9B EF 33 CA D8 34 B5 85 7A 46 B1 40 02 36 F5"

The process %original file name%.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F B5 3D 11 89 08 90 F1 92 1C 51 DA B8 34 5C 44"

The process %original file name%.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD C9 DD B9 5B B1 92 9A F1 C4 76 C6 BF CC 20 B0"

The process %original file name%.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 D6 A6 A3 C7 9D 26 3E 51 CE B9 3A 1E 9A E3 2F"

The process %original file name%.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 40 24 A3 60 95 A4 B4 09 88 E8 F0 24 E9 D1 DD"

The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 54 68 75 B4 16 C6 25 6D FE A4 DA 61 48 58 05"

The process %original file name%.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 4C BD 5A 1D 90 AC 0F D0 55 52 55 F1 9B A8 EF"

The process %original file name%.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 F2 1A 8C 13 AB 79 E1 1F 0C 8B A2 40 B0 F3 97"

The process %original file name%.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC AF 24 F5 A8 53 A5 86 42 58 DE 30 68 88 C8 C9"

The process %original file name%.exe:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 6A 5B 17 1D 63 44 8A 8C 4A 5C 98 D9 8B 4F 05"

The process %original file name%.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 8A 6E 24 B5 B4 47 3B 3A 40 4F FE 5B 76 7B E5"

The process %original file name%.exe:808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 DB 65 C8 45 98 AC 30 FD 05 7D A4 45 48 F9 25"

The process %original file name%.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 4B AF 4A 01 BB D9 66 69 C4 C5 81 EB 02 8C B2"

The process %original file name%.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 65 D7 74 9A D3 4A F1 CD 34 C8 4F 41 A4 06 71"

The process %original file name%.exe:512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 FE 39 2A EF 44 36 5A 02 62 40 87 CC 3E FA 5B"

The process %original file name%.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B B3 4B D1 8D 11 49 2E 7D 58 01 CD DC F8 B0 D0"

The process %original file name%.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 E0 BF 6B DA 98 34 9A 47 A3 1D AE 11 37 78 25"

Dropped PE files

MD5 File path
a693ed50043016a50d4cc1bc61e8e9ba c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
351ed48ce7c8ca658597b8016116a33b c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
8838df9ff9dc3ea376b185246b7b3282 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
00cf1ed1216d93f3d40180154fe7aa60 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
220a9c1d0010d92ee0de5da147c74ed7 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
f9e6e260ad737402e4464845e4d4fbd4 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
eb4db5b97ddf0470c5c9e882e55648ce c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
cde091a5a96e230b9ce5ae4baab8abe0 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
92735e2afd8dea5d4652d92238b6efeb c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
f9386be2210eca89591d227993f8976e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
5b42e92ddc7e3f622a1b0d55d542c641 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
5b1aee3f11cffebceba76f6574ddd0ec c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
cb1707b49591fa12d153fffc7382f427 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
c9d946a3aade2deb03632c9bfa57e851 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
b0af0fafade63956dc0b8353e7ce7345 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
577c84fd31fd120cb2afd523f9cd1479 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
618fec7a695c6ab236402fce76dd8079 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
4be3d428f468e532feea9ed69a8fd632 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
3fcb72ebdb0dbceb9c46ae7a74d7d404 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
bdf96761030aa9fcf1c6db8752acd4f9 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
f14603a39b4ed79db63f31bdd588930f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
1829567960f132a0cde8f461976db6d6 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
2d3657ea207d79e47c8252d9a3bb5bb5 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
55e336f55003756c1bd1501cac070bf7 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
4002f55dbf1d87c803e456428a32ea86 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
e4c60c8dc56d6327c12f1cc1f92ff394 c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
587e2e8faf7b732f357ac00197d5182c c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
53995b69cbac86a9cca0ba329d257b12 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
27315d6d417f6684e9dd747eca72d430 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
809965f8e4d4a2af6624c01050792b27 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
e5afa99008e0ed23398f924a45cabb3e c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
370de7bfb744c4845c5ae2a8aa52d904 c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe
00e87dc3700dccbbe777a421e7f65568 c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe
7ae96f20068d9bf9acdc101e77fca487 c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe
369cd341046b3f34fbdc129e72223b36 c:\Perl\eg\IEExamples\ie_animated.gif.exe
4cca5db5753fec4111a958a0e27ea5d8 c:\Perl\eg\IEExamples\psbwlogo.gif.exe
7222d68632a6bdf83d04c42fa0d1d490 c:\Perl\eg\aspSamples\ASbanner.gif.exe
2eabab0a30ffbaa74cc97d2e53a2cc1b c:\Perl\eg\aspSamples\Main_Banner.gif.exe
47171c6714cd4ff7ad3ed665c1d9224a c:\Perl\eg\aspSamples\psbwlogo.gif.exe
7d5ee23dd4dd677383edb0f8b24f8b37 c:\Perl\html\images\AS_logo.gif.exe
46ffc3005c9cbd274d2058c027547dc6 c:\Perl\html\images\PerlCritic_run.png.exe
bf6057ad2cf3a5d97dc240c055528099 c:\Perl\html\images\aslogo.gif.exe
5080135926e61c7b3c86863985aa53e4 c:\Perl\html\images\ppm_gui.png.exe
99fbeeeee0d9accf2e6c55dd4f7268db c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
9058513ef1aefc1b45634ec056f726d0 c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
2e559d411c687e9ecf5488c912bcafd9 c:\Perl\lib\Devel\NYTProf\js\asc.png.exe
4bce315a665472f5052b16520a15e9ab c:\Perl\lib\Devel\NYTProf\js\bg.png.exe
bc34d619af8e6360ccd25c4b21369973 c:\Perl\lib\Devel\NYTProf\js\desc.png.exe
ad7625a11eb8a27f8dd669b055a280e7 c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
6008e26dfd6fd134cd30cc413575c6b6 c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
7ac843023724bce2f22c56511dc27b74 c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
5a14d8959e2f9b12d7496dc6b927488f c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
aa67eef532d0c9e4381d135bd9f98aaa c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe
d012246155ff4394d4f2a51eb665d5fb c:\Perl\lib\Mozilla\CA\cacert.pem.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1019904 1018880 5.45691 9f69f7e7277ebf1b01582c8ff95ca717
.rdata 1024000 4096 512 2.22347 1d539e7d78abc1bb708fc9a2c829ff48
.data 1028096 4 512 0.053811 9dcd6c545a34c3b2acc310a8f6045f46
.rsrc 1032192 4444 4608 2.04696 56bf39e2739fbb0513597c0464f996ac

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    cscript.exe:600
    cscript.exe:1952
    cscript.exe:336
    cscript.exe:492
    cscript.exe:1832
    cscript.exe:1940
    cscript.exe:488
    cscript.exe:1376
    cscript.exe:424
    cscript.exe:408
    cscript.exe:568
    cscript.exe:1236
    cscript.exe:448
    cscript.exe:368
    cscript.exe:1132
    cscript.exe:616
    cscript.exe:244
    cscript.exe:264
    cscript.exe:1868
    cscript.exe:1648
    cscript.exe:808
    cscript.exe:1748
    cscript.exe:644
    cscript.exe:1360
    cscript.exe:1668
    cscript.exe:1368
    %original file name%.exe:1140
    %original file name%.exe:620
    %original file name%.exe:596
    %original file name%.exe:628
    %original file name%.exe:1308
    %original file name%.exe:1920
    %original file name%.exe:340
    %original file name%.exe:1948
    %original file name%.exe:1968
    %original file name%.exe:1980
    %original file name%.exe:1856
    %original file name%.exe:956
    %original file name%.exe:652
    %original file name%.exe:368
    %original file name%.exe:1252
    %original file name%.exe:188
    %original file name%.exe:616
    %original file name%.exe:1276
    %original file name%.exe:1492
    %original file name%.exe:1700
    %original file name%.exe:1648
    %original file name%.exe:808
    %original file name%.exe:1748
    %original file name%.exe:1760
    %original file name%.exe:512
    %original file name%.exe:1740
    %original file name%.exe:1660

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\KAAo.txt (55978 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
    C:\totalcmd\TcUsbRun.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
    C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MgQkQooM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XSsIUMwE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QWYYsEIw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vcUokIYQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GoEAEIQU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rCEgYIYk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CIAQMkMg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tMYYwUgI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yuIAsAEc.bat (4 bytes)
    %Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7737 bytes)
    %Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OSUQUYEo.bat (112 bytes)
    %Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7785 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AokcokIs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QiQwIcEs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sWYoskks.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jywcIsoc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MOUUIYsE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oMsQYoUE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OwwkQocU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nysQgsoo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\naccAscE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mWMAgAsA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RuIkMccg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LEIkYEgA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MYEQAskM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IWEsEIgI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mCgMQYYI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qsIkcYcI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pQscEkMU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hIckgQkI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UwgMckQo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cowIMIAQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oswscgcc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CKwsYYAE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OGYkQQMA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yaEEsIUU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kiEoQQkk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\duMAgwMY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sqoUgoIk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CcsgsEoQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VQMksAcs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fSUAsIgw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FOEAIoEU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nmEQkQIE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aKEUwEcI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kSMIgYMk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KusAoUAY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xAwwkYwA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MWYskYcM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QYQEUEEQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SogAQMAk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UCwowoQM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GcIUkIQs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CmIwcIMw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CgwAcMIQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FaYAgIQg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iMsksYkI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XikYIAoE.bat (112 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now